diff --git a/.github/workflows/main-pipeline-cdk.yml b/.github/workflows/main-pipeline-cdk.yml index d6cdc55..18a4acd 100644 --- a/.github/workflows/main-pipeline-cdk.yml +++ b/.github/workflows/main-pipeline-cdk.yml @@ -19,11 +19,6 @@ on: branches: - main - # TEMP DEBUG!!!: - push: - branches: - - main - #### Overall Strategy: # If Open a PR: Make sure everything can Synth (No deploy) # If Merge a PR: Deploy to your account (No synth, it just passed) @@ -59,71 +54,71 @@ jobs: echo "deploy-config-files=$json_list" >> "$GITHUB_OUTPUT" - # cdk-synth: - # if: ( github.event_name == 'pull_request' && github.event.action != 'closed' ) || - # ( github.event_name == 'workflow_dispatch' ) - # runs-on: ubuntu-latest - # needs: - # - setup-matrix - # strategy: - # matrix: - # example-config: ${{ fromJson(needs.setup-matrix.outputs.synth-matrix) }} - # steps: - # - uses: actions/checkout@v4 - - # - name: Setup CDK - # uses: ./.github/workflows/composite-setup-cdk - - # - name: "Synthesize: ${{ matrix.example-config }}" - # run: make cdk-synth config-file="${{ env.EXAMPLES_PATH }}/${{ matrix.example-config }}" - - # cdk-deploy-base: - # ## If the PR is merged, or if we manually trigger it (MAIN ONLY): - # # !failure() && !cancelled(): Let it check the 'if' block here, EVEN if cdk-synth skipped. - # # (it'll skip when PR is merged. No point in synthing again since it has to pass TO merge) - # if: | - # !failure() && !cancelled() && ( - # ( github.event_name == 'pull_request' && github.event.pull_request.merged ) || - # ( github.event_name == 'workflow_dispatch' ) - # ) - # runs-on: ubuntu-latest - # needs: - # - setup-matrix - # - cdk-synth - # permissions: - # id-token: write - # contents: read - # steps: - # # Moved this check away from the job-level 'if', so it actually fails if you're - # # not on main. Failure is easier to see than a skipped job. - # - name: Fail if not 'main' (else skips this step) - # # Yes the pull_request line is redundant with the 'branch' trigger at the top of the - # # file, but better safe than sorry. Keeps the logic uniform with workflow_dispatch too. - # if: ( github.event_name == 'pull_request' && github.base_ref != 'main' ) || - # ( github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main' ) - # run: exit -1 - - # - uses: actions/checkout@v4 - - # # Install everything: - # - name: Setup CDK - # uses: ./.github/workflows/composite-setup-cdk - - # # Log into AWS: - # - uses: aws-actions/configure-aws-credentials@v4 - # with: - # aws-region: "${{ vars.AWS_REGION }}" - # role-to-assume: "arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ vars.AWS_DEPLOY_ROLE }}" - - # # Deploy the Base Stack: - # - name: Deploy Base Stack - # run: make cdk-deploy-base + cdk-synth: + if: ( github.event_name == 'pull_request' && github.event.action != 'closed' ) || + ( github.event_name == 'workflow_dispatch' ) + runs-on: ubuntu-latest + needs: + - setup-matrix + strategy: + matrix: + example-config: ${{ fromJson(needs.setup-matrix.outputs.synth-matrix) }} + steps: + - uses: actions/checkout@v4 + + - name: Setup CDK + uses: ./.github/workflows/composite-setup-cdk + + - name: "Synthesize: ${{ matrix.example-config }}" + run: make cdk-synth config-file="${{ env.EXAMPLES_PATH }}/${{ matrix.example-config }}" + + cdk-deploy-base: + ## If the PR is merged, or if we manually trigger it (MAIN ONLY): + # !failure() && !cancelled(): Let it check the 'if' block here, EVEN if cdk-synth skipped. + # (it'll skip when PR is merged. No point in synthing again since it has to pass TO merge) + if: | + !failure() && !cancelled() && ( + ( github.event_name == 'pull_request' && github.event.pull_request.merged ) || + ( github.event_name == 'workflow_dispatch' ) + ) + runs-on: ubuntu-latest + needs: + - setup-matrix + - cdk-synth + permissions: + id-token: write + contents: read + steps: + # Moved this check away from the job-level 'if', so it actually fails if you're + # not on main. Failure is easier to see than a skipped job. + - name: Fail if not 'main' (else skips this step) + # Yes the pull_request line is redundant with the 'branch' trigger at the top of the + # file, but better safe than sorry. Keeps the logic uniform with workflow_dispatch too. + if: ( github.event_name == 'pull_request' && github.base_ref != 'main' ) || + ( github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main' ) + run: exit -1 + + - uses: actions/checkout@v4 + + # Install everything: + - name: Setup CDK + uses: ./.github/workflows/composite-setup-cdk + + # Log into AWS: + - uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: "${{ vars.AWS_REGION }}" + role-to-assume: "arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ vars.AWS_DEPLOY_ROLE }}" + + # Deploy the Base Stack: + - name: Deploy Base Stack + run: make cdk-deploy-base cdk-deploy-leaf: runs-on: ubuntu-latest needs: - setup-matrix - # - cdk-deploy-base + - cdk-deploy-base strategy: matrix: deploy-config: ${{ fromJson(needs.setup-matrix.outputs.deploy-matrix) }} @@ -134,46 +129,25 @@ jobs: steps: - uses: actions/checkout@v4 - # # Install everything: - # - name: Setup CDK - # uses: ./.github/workflows/composite-setup-cdk + # Install everything: + - name: Setup CDK + uses: ./.github/workflows/composite-setup-cdk - # # Log into AWS: - # - uses: aws-actions/configure-aws-credentials@v4 - # with: - # aws-region: "${{ vars.AWS_REGION }}" - # role-to-assume: "arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ vars.AWS_DEPLOY_ROLE }}" + # Log into AWS: + - uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: "${{ vars.AWS_REGION }}" + role-to-assume: "arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ vars.AWS_DEPLOY_ROLE }}" # Deploy the Leaf Stack: - name: "Deploying: ${{ matrix.deploy-config }}" + ## Load and mask the container-specific variables, then deploy. # container-id: Take off the beginning './' and the end '-example.yaml' run: | - for key_var in $( echo "${{ vars.CONTAINER_VARS }}" | tr '\n' ' ' ); do - echo "::add-mask::${key_var#*=}" - echo "$key_var" - export ${key_var} + for key_val in $( echo "${{ vars.CONTAINER_VARS }}" | tr '\n' ' ' ); do + echo "::add-mask::${key_val#*=}" + export ${key_val} done - echo "OUTSIDE! ${TEST_1}" - env: - # TODO: I hate how we have to expose ALL secrets to ALL containers... - # Is there a better way to select which matrixes get which secrets? - # I know environments do it, maybe that's the route to go... - # BUT how do you not have to manage this list? It'd be nice if - # I can find a way to "make everything in the environment available". - - # One idea, have a env-var that stores a list of all the variables. Source - # that list before deploying, and each environment can hold specific env-vars. - # (there'll be secrets though... maybe mask all values?) - MINECRAFT_RCRON_PASSWORD: "${{ secrets.MINECRAFT_RCRON_PASSWORD }}" - VALHEIM_SERVER_PASS: "${{ secrets.VALHEIM_SERVER_PASS }}" - - - - # while IFS= read -r line || [[ -n $line ]]; do - # echo "... $line ..." - # done < <(printf '%s' "${{ vars.CONTAINER_VARS }}") - - - # make cdk-deploy-leaf \ - # config-file="${{ env.EXAMPLES_PATH }}/${{ matrix.deploy-config }}" \ - # container-id=$(echo "${{ matrix.deploy-config }}" | sed -E 's/^\.\///' | sed -E 's/-example\.ya?ml$//i') \ No newline at end of file + make cdk-deploy-leaf \ + config-file="${{ env.EXAMPLES_PATH }}/${{ matrix.deploy-config }}" \ + container-id=$(echo "${{ matrix.deploy-config }}" | sed -E 's/^\.\///' | sed -E 's/-example\.ya?ml$//i')